Focus on: GDPR compliance in e-commerce – when marketing tools become a legal risk

E-commerce businesses rely heavily on digital tools to understand users, optimise conversion rates and target advertising. Retargeting platforms, analytics solutions, advertising networks and anti-bot mechanisms have become a standard element of modern online commerce.

From a technological perspective, implementing such tools often appears straightforward. A marketing team deploys a tag, script or API connection, and the tool begins collecting data about user behaviour.

From a legal perspective, however, the reality is often far more complex.

Many of these technologies involve sophisticated data-processing ecosystems that extend beyond the website where they are deployed. What appears to be a simple marketing integration may in practice trigger extensive data sharing with global technology platforms, often involving multiple controllers, cross-border transfers and behavioural profiling.

This growing complexity explains why regulators across Europe have begun to focus more closely on how marketing technologies process personal data.

For e-commerce companies, this area is becoming one of the most sensitive aspects of GDPR compliance.

The hidden complexity of marketing technologies

In many projects we analyse, the implementation process follows a familiar pattern. An online retailer decides to deploy a tool recommended by a marketing agency or technology partner. The integration is quick and technically simple.

But the legal implications may be much more complicated.

A single marketing or analytics tool may involve:

• multiple independent data controllers,
• joint controllership arrangements,
• behavioural tracking and profiling,
• cross-border data transfers,
• and the reuse of collected data within global advertising ecosystems.

These elements are not always visible to the businesses deploying the technology.

For example, retargeting platforms may not rely solely on cookies. In some configurations they also process additional identifiers such as hashed email addresses, phone numbers or CRM-based customer identifiers, which are used to match individuals with advertising accounts across multiple platforms.

From a GDPR perspective, such operations may constitute a separate form of personal data processing and therefore require an independent legal basis and additional transparency obligations.

 

Legal risks behind audience-matching technologies

A particularly sensitive area concerns audience-matching technologies, such as Google Customer Match or Meta Custom Audiences.

These tools allow companies to upload identifiers from their customer databases – typically hashed email addresses or phone numbers – to advertising platforms. The platform then compares these identifiers with its own user accounts and creates targeted advertising audiences.

From a marketing perspective, the mechanism is extremely effective.

From a GDPR perspective, however, it raises significant concerns.

The central issue is the legal basis for such processing.

Companies sometimes attempt to rely on legitimate interest for this type of targeted advertising. However, regulatory practice increasingly suggests that this approach may not be sufficient.

European data protection authorities have pointed out that individuals who provide their contact details to a company – for example during a purchase or account registration – do not reasonably expect that these identifiers will later be used to target them across external advertising ecosystems.

As a result, tools such as Google Customer Match or Meta Custom Audiences may require separate, explicit user consent for the use of customer contact data in advertising audience matching.

Without such consent, companies risk engaging in unlawful disclosure of personal data to third-party advertising platforms.

 

Regulators are increasingly scrutinising ad-tech practices

Recent regulatory enforcement illustrates that these risks are not merely theoretical.

In 2023, the French data protection authority (CNIL) imposed a €40 million fine on the advertising platform Criteo. Among other issues, the authority concluded that the company had failed to demonstrate a valid legal basis for processing personal data used within its advertising ecosystem. The regulator also identified shortcomings in transparency and the handling of data subject rights.

Similarly, European regulators have questioned the use of advertising audience-matching tools such as Facebook Custom Audiences. German authorities concluded that uploading customer contact data – even in hashed form – may require explicit user consent.

These cases demonstrate a broader regulatory trend: ad-tech ecosystems are increasingly treated as high-risk environments for personal data processing.

 

When behavioural tracking becomes personal data processing

Another important issue concerns the identifiability of individuals in digital environments.

Many marketing technologies rely on identifiers that do not directly reveal a person’s name or email address. These may include cookie IDs, advertising identifiers, device fingerprints or behavioural profiles.

However, under the GDPR this does not remove them from the category of personal data.

Recital 30 of the GDPR explicitly recognises that individuals may be associated with online identifiers provided by devices, applications, tools and protocols, including cookie identifiers and other tracking technologies. These identifiers may leave traces which, when combined with other information, can be used to create profiles and identify individuals.

In practical terms, this means that if a user views a product – for example a pair of running shoes – on one website and later sees the same product advertised across multiple websites, it demonstrates that the user has been tracked and recognised within an advertising ecosystem.

Even if the platform operator does not know the user’s name, the individual has been identified well enough to target advertising specifically to them.

This is precisely the type of processing that the GDPR was designed to regulate.

 

Compliance requires both legal and technical design

These examples illustrate a broader point: compliance with the GDPR in digital marketing environments cannot rely solely on contractual clauses or privacy policies.

It requires carefully designed technical and organisational processes.

Businesses deploying marketing technologies should ensure that:

• users receive clear and detailed information about how their data is processed,
• the purposes of processing are transparent,
• the legal bases are correctly identified,
• the roles of technology providers are properly assessed,
• data retention periods are clearly communicated,
• and international data transfers are appropriately disclosed.

In other words, compliance must be built into both the technical implementation and the documentation surrounding it.

The GDPR was created to protect the privacy of individuals – including their privacy in digital environments, where personal data is often generated not through traditional identifiers but through behavioural signals and online tracking technologies.

 

Supporting e-commerce companies in navigating ad-tech compliance

At JLSW Janaszczyk Lis & Wspólnicy, we regularly support e-commerce companies in analysing the legal implications of digital marketing and analytics tools used within their online ecosystems.

Our work often includes:

• assessing the roles of technology providers (controller, processor or joint controller),
• analysing contractual frameworks with global technology platforms,
• evaluating consent mechanisms and transparency requirements,
• reviewing international data-transfer structures,
• and designing risk-mitigation strategies for complex ad-tech environments.

Our goal is not to discourage businesses from using modern marketing technologies. These tools are essential for digital commerce.

Instead, our focus is to ensure that companies can implement them in a way that is both technologically effective and legally sustainable.